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(54) Method and apparatus for controlling access to storage device 



(57) The storage regions (50) undor command of a 
storage controller (40) can be simply enabled and disa- 
bled to access to by automatically registering connected 
host computers (10. 20. 30). Such system can be 
achieved by taking a step (503) of acquiring 
N_Port_Namc information included in a login frame (70) 



from the host computers, and a step (507) of displaying 
a tabic (200, 201 . 202; 700) of access right of host com- 
puters (10, 20, 30) to a logical unit (51. 52) under com- 
mand of storage controller. A security table (202, 202; 
700) for the 3lorago controller (40) can be generated by 
supervisor's setting the access onablo/disablo flag in- 
formation (508). 
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Description 



SUMMARY OF THE INVENTION 



BACKGROUND OF THE INVENTION 

[0001] Tho present invention generally relates to se- 
curity 'jetting tor prevention of illegal access between 
information processors. Particularly, tho invention re- 
lates 1o a storage system lor prevention of illegal access 
when a request occurs to access to a storage region 
under command of a storage controller in a computer 
system having a network provided between a high-rank 
unit (host computer) and the storage controller (storage 
system), and relates to the computer system including 
this storage system. 

(0002] In the fiber channel protocol standardized by 
ANSI, X3T11, a great number of apparatus can be con- 
nected, and a large variety of protocols such as SOS), 
ESCON and TCP/IP can be simultaneously operated. 
However, when it is feared thai data in storage devices 
is destroyed by an access which a different tile system 
makes due to a different kind of protocol, It is necessary 
to take a security measure against that. 
[0003] To assure this security, as described in JP-A- 
10-333839. a table showing information for uniquoly 
idenlilying host computers and to either permit or reject 
access lo storage regions under command of a storage 
controller is provided within tho storage controller. At the 
time of access, by referring to this table, it is possible to 
reject the access from the other apparatus than the host 
computers that are permitted to access, and hence pre- 
vent illegal access. 

[0004] This identitycation information is on array of 
4fi-bit digits called N_Port. Name, unique to each host 
bus adaptor. Under tho condition that the identification 
inlormotion lor host computers arc previously registered 
within the storage controller, the host computers can 
make access to storage regions within a storage device 
under command of the storage controller. 
[0005) in order to previously register the host compu- 
ter identifying information within the storage controller, 
the user or supervisor is first required to examine the 
N„Port..Namo oxpras&od by 48-bit digits thai has an 
eigM-byte region peculiar lo a host computer by use of 
a manager connected lo host computers through LAN. 
Then, it is necessary that this number be noted and reg- 
istered in the storage controller by his own hand. Thore- 
lore, it is feared that il a wrong N_Port_Name is regis- 
tered by mistake as tho correct one of a host computer, 
this host computer cannot access to a storage region or 
an undesired host computer might make access lo a 
storage region and destroy data. 
[0006] Moreover, when inlormation of either permit- 
ting or rejecting access to a large number of host com- 
puters is registered, it takes much time. Therefore, it is 
desired that this identification information be simply ac- 
quired and set. 



[0007] Accordingly, il is an object ol Ihu invention lo 
provide a system capable of acquiring information that 

t> uniquely identifies the connected host computers and 
automatically registering it within a storage controller, 
thoroby making it possible simply to cither permit or re- 
ject access to storage regions under command of the 
storage controller. 

io [0008] To achieve the above object, according lo the 
invention, the host-ldontifying information is first ac- 
quired from a frame transmitted from the corresponding 
host computer, and registered in tho storage controller, 
and then flag information is set lo change lor permitting 

H> that host computor to access by the supervisor's oper- 
ation. 

BRIEF DESCRIPTION OF THE DRAWINGS 
M [0009] 



Fig. 1 is a block diagram showing a hardware struc- 
ture ol an embodiment of the invention. 
Fig. 2 is a diagram showing the format of a frame. 
Pig. 3 is a diagram showing the details of the frame 
header 

Fig. A is a diagram showing the sequence of log-in 
botween host computer and device- 
Fig. 5 is a flowchart for log-in. and security table reg- 
istration and setting. 

Fig. 6 is a flowchart for addition of a host computer 
to an operating computer system. 
Figs. 7A, 7B. 7C and 7D show examples of the se- 
curity table, 

Fig. 8 is a diagram showing an example of the dis- 
play panel used at the time of registering socurity 
information. 

Fig. 9 is a flowchart for the process to INQUIRY 
command. 

Fig. 10 is a flowchart for the process having a se- 
curity table auto-sotting mode. 
Fig. 11 is a llowchart for the process taken when a 
device intermits. 

Fig. 12 is a flowchart for security table change and 
re-login. 

Fig. 13 is a diagram showing a computer system 
having SAN manager. 

DESCRIPTION OF THE EMBODIMENTS 
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[0010] Embodiments of the invention will be de- 
scribed with reference to the accompanying drawings. 
[0011] A description will be made of a computer sys- 
tem constructed by uso of a storage controller and mag- 
tt> nolic disk units as a storage system according to the 
present invention, and a network constructed by provid* 
ing a fiber channol between the storage system and host 
computers, or a computer systom undor the so-called 
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SAN (Storage Area Network) environment. 
[0012] The fiber channel is a protocol having a serial 
transfer system with no own command sot. Sinca it 
sends information asynchronously, the frequency bands 
of transmission media can bo effectively used. o 
In addition, instead of having no own commands, a 
physical transfer system is used as a carrying way lor a 
command sol such as SCSI or ESCON. thereby making 
il possible to faster transfer data of various kinds while 
tho background art resources are being inherited. to 
[0013] Fig. 1 is a block diagram showing a hardware 
structure of a computer system according to the inven- 
tion, Referring to Fig. 1 , there arc shown host computers 
10. 20. 30, each acting as a central processing unit for 
performing data processing. A plurality of magnetic disk ™ 
drives 50 are storage units with storago media that are 
conncctod in an array under command ol a storago con- 
troller 40. The storage controller 40 is a disk array sys- 
tem for controlling these magnetic disk drives 50. 
[0014] The storage controller 40 is constructed by a m 
front end control unit (channel adapter) 41 for controlling 
the fiber channel protocol to the host computers 10, 20. 
30, a microprocessor 42 (or controlling all the storage 
controller 40. a nonvolatile control memory 4 3 for storing 
a microprogram for controlling tho operation of storage 26' 
controller 40. data for control and each table described 
later, cache 45 for temporarily storing (buffering) data, 
a cache control unit 44 for controlling this cache 45 to 
read and write data, a back end control unit (disk adapt- 
er) 46 for controlling a protocol used to the magnetic w 
disk drives 50 to control data transfer to or from tho mag- 
netic disk drives 50. and a panel 47 on which information 
is set. 

[0015] The magnetic disk drives 50 are expressed as 
logically divided regions. In the SCSI protocol, Ihese re- 
giens are called LU (Logical Unit), and numbered by 
LUN (Logical Unit Number). In this embodiment, two re- 
gions of LU0 (51) and LU1 (52) are shown as LU of LUO 
and LU of LU1. 

[001 6] The host computers 1 0. 20, 30 and the storago w 
controller 40 are connected through a fiber channel 60 
as an interface i.e., via a switch called "Fabric". 
[0017] Tho operation of the system shown in Fig. 1 
wilt be described. As an example of this operation, it is 
assumed that data Is transferred between the host com- 
puler 10 and the LU0 (51) provided within tho disk drive 
50 through tho storage controller 40, The host computer 
10 logins the storage controller 40, Then, when tho host 
computer 10 issues an access request (I/O request) to 
tho LUO (51), the front end control unit 41 that rcceivod $o 
this request send3 an interruption request to the micro- 
processor 42. The microprocessor 42 controls tho con- 
trol memory 43 to store command information from the 
host computer 1 0 and information for identifying the host 
computer 10. When the host computer 10 is previously to 
permittod to access to the LU0 (51 ), the microprocessor 
42 confirms the command typo. 
[001 8] When the confirmed command is Read com* 
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mand, the microprocessor 42 decides if the data block 
to be accessed exists in the cache 45. If this data exists, 
it is iransfarred to the host computer 10. end the end 
sign is sent to the host computer 10. If the data is not 
present, the back end controller 46 is operated to read 
the data block from the LU0 (51 ), and the cache control 
unit 44 controls the read data to be stored in the cache 
45. Then, the microprocessor 42 orders the front end 
control unit 41 to transfer (he data stored in the cache 
45 to tho host computer 10, and to report tho end sign 
to Ihe host computer 10. 

[0019] If the confirmed command is Write command, 
the microprocessor 42 controls the cache 45 to store the 
data to be written, and sends the end sign to tho host 
computer 10. Thon. tho cache control unit 44 is used to 
send this data to the LUO (51) and completely write 
therein. 

(0020] The basic unit of data thai the fiber channel 
handles is called frame. This frame will bo described 
with reference to Fig. 2. As shown in Fig. 2, a frame 70 
is formed of a starl-of-framc (SOF) 71, a frame header 

72 of 24 bytos for link operation control and for charac- 
terizing the frame, a data field 73 of data itself to be ac- 
tually transferred, a cyclic redundancy check (CRC) 74 
of 4 bytes, and an end-ol-framo (EOF) 75. The data field 

73 is variable in the range from 0 to 2112 bytes. 
[0021] The SOF 71 is an identifier of 4 bytes placed 
at the head of the frame. The EOF 75 is an identifier of 
4 bytes placed at tho back of the frame. The SOF 71 
and Ihe EOF 75 define the Irame. A signal of idle flows 
in tho fiber channel when there is no frame. 

Fig, 3 shows the format 80 of the frame header 72. 
10022] The format of the frame header 72 will bo do- 
scribed below with reference to Fig. 3. The frame header 
72 is formed of six words of 32 bits each. A destination 
identifier DJD (Destination ID) 81 of 23rd - 0lh bit of 
word 0 is an address identifier for the frame receiving 
side. A source identifier S JD 82 of 23rd - 0th bit of word 
1 is an address identifier of three bytos for identifying a 
port ol the transmission source of the frame. This iden- 
liiier has a meaningful value in all frames transmitted 
and received. The S JD 82 is the information capable ol 
dynamically and uniquely identifying a host computer, 
and is h value reported from the host computer at ihe 
time of PLOGI (described later). However, this SJD 82 
is. for example, a value dynamically changing each time 
the system is started, and assigned at the time of initial- 
ization by Fabric in FC-PH (Fiber Channel Physical and 
Signaling Interface: US standard of liber channel). The 
valuo to be assigned deponds on N_Port_Name and 
Node_Name which each port has. 
{0023] The kind of frame is roughly divided into data 
frame and link control frame on the basis of Ihe function. 
The data frame is used for information transfer, and has 
data and commands provided at tho payload section ol 
the data field for use in a high-rank protocol. The link 
control frame is gcnorally used for indicating if the frame 
transmission has been successfully or unsuccessfully 
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mado. As an example of ihe link control frame, there is 
a frame lor indicating that a single frame has received 
or a Iramc (or notifying parameters of transfer at (he lima 
of log-in, 

[0024] In the fiber channel interface, a host computer 
sends to a device a frame of port log-in PLOGI (N^Pori 
Login) command including a communication parameter, 
and the device accepts this frame, thus communications 
boing made possible. This is called login, 
[0025] A description will be made of the format of 
PLOGI frame that is a communication request of a cer- 
tain host computer to the storage controller 40. In the 
data field 73, the first 8-bytes region of the twentieth to 
twenty-seventh byte (fifth to sixth word) is a region for 
storing the N_PortJvJamo, and the second 8-bytes re- 
gion of the twenly*eighlh to thirty-fifth byte (seventh to 
eighth word) is a region for storing the Node_Name. 
[0026] The device sends to the host computer a frame 
called ACC (Accept) at the time ol accepting the re- 
quest, or LS_RJT (Link Service Reject) at the time of 
rejecting the request, 

(0027] Fig. 4 shows a login sequence 100, The host 
computer as a source of login request sends the PLOGI 
frame to tho storage controller 40 of a device as a des- 
tination of login request. This PLOGI frame has its frame 
header 72 including SJD 82 and other information, and 
its data field 73 including the N_Port_Namo and 
Node. Name of the login request source. 
[0028] The storage controller 40 takes information out 
of this PLOGI. When accepting the login, it transmits 
ACC frame to the source of login request. When reject- 
ing the login, the storage controller 40 transmits to the 
host computer a frame called LS_R JT against the PLO- 
GI frame, 

[0029] Tho security information acquisition and auto- 
matic registration according to the invention will be de- 
scribed with reteronce to Fig. 5. Hero, in place of N- 
PorLName, WWN (World Wide Name) thai is similarly 
expressed by an array of 48-bit digits is used as trans- 
mission source identifying information. The WWN has a 
value of 8 bytes peculiar to each apparatus as does the 
N ,_Port_Name. It may include* Porl_Namc peculiar for 
each port and Node. .Name peculiar to each node. 
[0030} After a peripheral unit such as storage control- 
ler 40 is first started, the host computer 10, 20, 30 is 
started up (step 501). Each host computer issues a 
PLOGI frame as a login request frame including 
N_Porl_Name information peculiar to each host. 
[0031 ] The microprocessor 42 of the storage control* 
tor 40 receives the frame sent through the port (not 
shown) of tho front end control unit 41 (step 502). Then, 
the microprocessor 42 cuts off the WWN information out 
of the frame, forces the buffer (not shown) of the cache 
40 to store that information, and refers to a port socurity 
table (host computer information table) 200 defined 
within the control memory to see if it is already registered 
in the WWN list of the table 200 (step 503). The frame 
at the time of actual I/O request (Inquiry) which will be 
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described later has no N_Port_Name added, but only 
SJD added the value of which changes for each time 
of starling. Thus, the microprocessor M cuts off SJD 
out of the frame header of PLOGI. and WWN out of the 

i> data field, and generates the security table (host com- 
puter information tabl«) 200, as shown in Fig. 7 A, to en- 
able N_Port_Namo to be pulled out ol SJD at the time 
of inquiry, This table is stored in the control memory 43. 
It is assumed that tho part of list in which the WWN in- 
fo formation of port security table 200 is stored has initially 
a value Irrespective of the WWN information as a de- 
fault, Each time each of the host computers issues PLO- 
GI frame, the WWN (or N_ForLName) and SJD includ- 
ed in the PLOGI frame are automatically registered in 

'5 the security table 200. 

[0032] If H is decided to be falso (YES at step 503'), 
the Cut-off WWN information ot host bus adapters 11, 
21, 31 of host computers 10. 20, 30, assumed as host 
A. host B and host C. are stored in Ihe security table 200 

so successively (step 504). Since tho WWN information in- 
serted within tho frame the host computer 10, 20, 30 has 
issued does not agroo with the values registered as de- 
fault within the table 200. the microprocessor 42 ot the 
storage controller 40 sends LS^RJT Irarne having a re- 

25 ject parameter for rejection against the connection back 
to tho host computer 10. 20. 30 (step 505). 
[0033] Since the storage controller 40 cannot accept 
the I/O of host computer 1 0, 20, 30 at the lime of newiy 
starting as describe above, thy panel 47 is used to as- 

30 sign those host computers to the respective ports ot the 
front end control unit 41 that the storage controller 40 
can permit to access to the ports. The supervisor uses 
the panel 47, and orders it to perform a port security 
change task for port in order lhat the host computer 10 
can access to the controller via a port of front end control 
unit 41 . When a port security change window is brought 
about by pushing koys of a key area 472 ot panel 47, 
WWN information is displayed in the order of automatic 
registration on the WWN column of table 200. 

40 [0034] As shown in Fig. 8. the automatically regis- 
tered Host A, host 8 and host C are displayed on the 
panel screen. Thu supervisor operates keys to select 
the Host A as WWN information of host bus adapter 11 
of host computer 10, and to select the Enable of the port 

M access permit/reject pair flag information on the laole, 
thus enabling the host to access. This port access per- 
mit/reject Mag information is previously set lo be Disable 
as default. Similarly, the access from host computers 20 
and 30 can be enabled (steps 506, 607, 508. 514). An 
so example of how to enter is shown In Fig. 8, The panel 
47 is shown in Fig. 6. In the panel 47, a display 471 is 
shown to indicate the automatically registered host com- 
puters (in this case. Host A and Host 0 are already reg- 
istered, and Host C is to be newly registered), 
as When Host C is selocted by pushing the arrow keys of 
ihe key set 472, the LU access permit/reject flag infor- 
mation can bo sot to bo Enable or Disable. Then here 
the supervisor selects Enable thus enabling this host to 
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access. U is better to sot Disable as the default of this 
LU access permit/reject flag information. The key set 
472 may have koys for numerals that allow WWN to be 
manually inputted by hand as in the background art. In 
Fig. a, for the sake of simplicity, a single LU (storage 
region) is shown. 

[0035] Next, the host computers 10, 20, 30 make re- 
recognition processing for the connected devices (step 
514). 

[0036] The host compuier 10, 20, 30 again issues 
PLOGI frame as a login request frame, and the micro- 
processor 42 of storage controller 4© receives the frame 
led through a port of Iront end control unit 41 (step 502). 
Then, the microprocessor A2 cuts oil the WWN informa- 
tion out of the framo, and compares it with the WWN 
information list within the port security table 200 (steps 
503. 603'). When it is decided to agree because it Is al- 
ready registered (NO of step 503'). »he microprocessor 
sends back to the host computer 10. 20. 30 a frame in- 
dicating that login is possiblo. Thereafter, login process- 
ing is continued, and the storage regions 51, 52 under 
command of storage controller 40 can be accessed by 
the host computers 10, 20, 30 (stops 515 to 517). 
[0037] At slop O03\ when it is recognized that a now 
host computer i3 connected, that the new host computer 
ha* been corrected is indicated on me panel display. At 
this time, the supervisor Is urged to make mode selec- 
tion for the registration in the socurity tablo. Tho modos 
that can be selected at stop 506 include a mode in which 
WWN itself is used to register, and a mode In which 
CompanyJD included in WWN is used to register, The* 
fact that a new host computer has been connected may 
bo indicated by means of blinking on the display, guide 
using voice or other ways thai (he supervisor can per- 
ceive. 

[00381 The CompanyJD will be described. The 
N_Port_Name of 8 bytes includes CompanyJD (select- 
ed whan a four-bit aroa of 60th bit to 63rd bit ha3 a par* 
liculor value) in a 24-bit area of 36lh bit to 59th bit. and 
VS JD (Vendor Specific Identifier) in a 36-bit area of 0th 
bit to 35th bit. Here, a unique value is allocated to the 
CompanyJD of each vendor. That is, the same vendor 
has the same value. 

[0039] Under the security for preventing data damage 
by I/O from a host computer having a different protocol 
and different file system, the same device can be often 
accessed by host computers of tho same vendor. There- 
fore, there will be oflen no trouble even if security is sei 
up for each vendor. Thus, since the access enable/dis- 
able conditions can bo provided for a unit of a plurality 
of host computers, the security table (access enable/ 
disable table) can be more cosily generated. 
[0040) When the supervisor selects the registration of 
WWN (of each of a plurality of host computers to be reg- 
istered), and when any security tablo is not generated 
yet, e.g., when the system is started, the microprocessor 
42 recognizes LU that is a storage region under com- 
mand of storage controller 40. Thon, it generates a se- 



curity table (access enable/disable table) 201 of hosl 
computes and LU as shown in Fig. 7B. If tho socurity 
table 201 is previously generated, e.g., when a hosl 
computer is added or restarting is made, a host compu- 
* ter corresponding to a now WWN is added to the secu- 
rity table 201 . thus a new security table being generated. 
[0041] This socurity table 201 is shown in the display 
of panel 47 (step 507). The supervisor inputs only ac- 
cess enable or disable designation for the host comput- 
us ors on the tabic by use of tho panel 47 (step 508). 
[0042] When the supervisor selects the registration of 
each vendor, tho microprocessor 42 cuts CompanyJD 
off out of WWN (step 509). Then, an access enable/dis- 
able table 202 or vendor and LU as shown in Fig. 7C is 
ts generated and displayed as at step 507 by use of this 
CompanyJD (step 510). The supervisor enters only the 
access enable or disable designation lor the host com- 
puters on the table by use of panel 47 (step 511). 
[0043] Since the security table 201 shows the relation 
w between the host (WWN) and LU, the access enable 
and disable designation for the host computers (WWN) 
each having a CompanyJD ore automatically entered 
with reference to the access enable/disable table 202 
gonoratod at step 511. thus replacing the process at 
» step 507 (step 512). 

[0044] Thus, the socurity table 201 is completely set 
up by the above inpul operation and updated (step 513). 
[0045] After updating the security table 201, the mi- 
croprocessor 42 issues GPNJD (Got (v Pon^Nome) to 
M host computers, causing the host computers to issue 
PLOGI (step 514). 

[0046] Since a new WWN is not handled this lime, NO 
is selected at step 603\ and the process goes to step 
515. 

W [0047] When WWN i3 known at step 503', login con- 
tinues, and it is decided if this WWN can login in storage 
controller 40. For this purpose, with rolcrcnco to security 
table 201 it is decided if this WWN has right to access 
to a given LU (LU0 or LU1 in Fig. 1 ) under command of 

•'0 storage controller 40 (step 515). 

[0048] ACC is sent back to the host computer in which 
the access right is already set (step 516), and login op- 
eration is completed (step 517). 
[0049] LS_RJT i3 transmitted bock to the host com- 
puter that has no access right (step 518), and login is 
rejected (step 519). 

[0050] When a plurality of host computers are newly 
connected, e.g.. when the system is initially started, the 
supervisor cannot recognize which host computer cor- 

50 responds to a WWN. Therefore, el step 506, when reg- 
istration is made for each WWN, the relation between 
host and WWN is checked from the SAN manager sep- 
arately connected to the system. Under this checking, 
the supervisor can generate the security table 201 by 

55 only entering the presence or absence of the access 
right. 

(0051] The SAN manager will be described with ref- 
erence to Fig. 13. The host computers 10, 20, 30 end 



5 



01/13/2006 14:56 FAX 2148558200 



FULBRIGHT & JAWORSKI 



0 022/038 



EP 1 158 386 A2 



10 



9 

the storage controller 40 are also connected through a 
local area network (LAN) 61 other than the fiber channel 
Fabric 00. SAN manager unit 90 and the Tiber channel 
Fabric 60 arc also connected to this LAN 61. The SAN 
manager unit 90 is PC or WS, and acquires information 
about SAN system construction from the host comput- 
ers 10, 20, 30. storage controller 40 and fiber channel 
Fabric 60 via LAN 61. 

[0052] in addition, at step 506. for the case in which 
vendor registration mode Is selected* thu control mem- 
ory previously stores the Company. J D of each vendor, 
and thus it can be known that a new WWN corresponds 
to a particular host computer of a certain vendor. There- 
fore, even at the time Of Initial setting, by only mode se- 
lection it is possible that the supervisor generates the 
security table 201 without entering the presence or ab- 
sence of access right. 

(0053] A description will bo made of the case where 
a new host computer is added to the operating computer 
system with reference to Figs. 1 and 6. In the system 
construction shown in Fig. 1, it Is assumed that the host 
computer 30 is added under the operation of the system 
that has no host computer 30. When the host computer 
30 is newly connected to the system, i.e.. when the cable 
connected to the host bus adapter (not shown) of host 
computer 30 is connected to the switch 60 of the liber 
channel Fabric, fabric login FLOG! is executed between 
the host computer 30 and the switch, The fiber channel 
Fabric switch 60 sends to all connected devices, RSCN 
(Registered State Change Notification) that indicates 
change of state (step 001). The microprocessor 42 of 
the storage controller 40 that has received this notifica- 
tion transmits an ACC (Accept) frame (slop 602). 
[0054] Since tho added host computer does not cor- 
respond to any one of the host computers under login. 
Get Port Name (GPNJD) is transmitted to the host com- 
puter 30 to request N .Port_Name information (step 
603). Since the received N _ Port...Name information is 
of course not registered even referring to the 
N_Port_Neme information list of security table 200. the 
N. Port_Name information of the added host computer 
30 is stored in the port socurity table 200 (step 604). 
[0055] Since the S.JD of the host computer 30 is not 
acquired yet. the storage controller 40 cannot accept the 
access by the host computer 30 under this condition. 
Therefore, the supervisor assigns the host computer, 
and makes it be enabled to access by use of panel 47. 
The supervisor requires to execute a port security 
change task for port P0 on the panel 47 in order that the 
host computer 30 can bo enabled to access via port P0 
of front end control unit 41. As a result, the 
N_Port. ..Name information is displayed on the security 
table 200 at the N Y ,Port,Name item column. 
[0056] When Host C is selected as the automatically 
registered N_Port_Namo information of the host bus 
adapter 31 of host computer 30 in response to GPNJD, 
ihe port access permit/reject pair flag information can 
be changed on the table. Tho supervisor selects Enable. 



thus this host being enabled to access (step 605). Here, 
the host computer 30 can make re-recognition process- 
ing for the connected device (step 606). Then, login 
process is performed so that the S.JD corresponding to 

a the host computer 30 can be acquired from the host 
computer 30. Tho storage regions 51 . 52 under com- 
mand of storage controller 40 can be accessed by the 
host computer 30. After the subsequent reception of 
PLOGI frame, the process of entering all items concem- 

i0 ing the host computer 30 on the security table 200 ends. 
[0057] While N_Port_Namc information is used for 
the description with reference to Fig. 6. WWN informa- 
tion may be used therefor. 

[0058J In addition, while the security table (host infor^ 
1 5 motion table) 200 and security table (access enable/dis- 
able table) 201 or 202 arc shown as separate tables in 
Figs. 7A through 7C, they are managod as one table as 
shown in Fig. 7D. 

[0059] The execution of Inquiry command will be de- 

M scribed with reference to Fig. 9. The Inquiry command 
is a command to inquire, before the start of I/O process, 
the installation of the logic devices associated with the 
process, Specifically, this command is a request to in- 
quiry information before the host computer issues a re- 

25 quest to access to tho storage region LU under com- 
mand of storage controller 40. This command is a stand- 
ard command that is surely supported in SCSI. 
[0060] The detailed format of frame header 72 will bo 
described. Tho host computer to access to LU sends a 

m frame including Inquiry command to the storage control- 
ler 40 having tho LU to be accessed (step 901). This 
frame includes the S JO 82 of the host and LUN as an 
LU identifier lor inquiry assigned in PLOGI. 
[0061] To issue Inquiry and execute I/O. the SJD 82 

W is cut off out of the Inquiry frame (stop 902). Then, the 
N ..Port_Name corresponding to the SJD 82 is acquired 
trom the security table 200 showing the relation between 
N, ..Port. .Name (or WWN) and SJD 82. Thus, it is decid- 
ed which host computer has issued Inquiry (step 903). 

40 [0062] In addition, from the security table 201 it is de- 
cided if the decided host computer has right to access 
to the LU for I/O (step 904). It it has right, ACC Is sen! 
back to tho host computer that has issued Inquiry tor 
access (step 905). Then, I/O process is performed (step 

4$ 906). If it has no right. LS_RJT is transmitted back to the 
host computer (step 907). rejecting l{Q request (step 
908). 

[0063] Thus. I/O process is accepted or rejected, and 
Inquiry ends (step 909). 

50 [0064] With reference to Fig. 1 0, a description will be 
made of another embodiment having the function for the 
mode in which security setting Is automatically regis- 
tered in addition to the registration of host computers. 
[0065] Stops 1001 through 1009 arc the same as 

W steps 501 through 509 given in Fig. 5, and thus will not 
be described. 

[0066] After clipping Company JD at step 1009. the 
user decides to select manual or automatic security reg- 
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islralion (step 1010). 

10067) If manual registration is selected, steps 1011 
and 1012 arc executed. These steps are the same as 
stops 510 and 511 shown in Fig. 5. and thus will no! bo 
described. i> 
[0068] If automatic registration is selected, the micro- 
processor 42 checks if the host computers registered 
on the security table 200 include tho samo one as 
CompanyJD of new WWIM (step 1013), 
[0069J if there is not, the automatic sotting of security w 
cannot bo made, and thus the process goes to step 1 01 1 
as in the manual sotting. II there is the same 
CompanyJD, the security sotting of that CompanyJD 
is copiod as a CompanyJD of new WWN. thus the ac- 
cess enable/disable setting input for that host being 
omitted (step 1014). 

(0070J Step 1 01 5 and the following steps after gener- 
ating security table for each vendor are tho same as step 
515 and the following steps shown In Fig. 5. and thus 
will not be described. ?o 
(0071J Description will bo made of the case where a 
host computer is temporarily slopped or a host bus 
adapter is replaced due to failure in tho operating com- 
puter system, with reference to Fig, 11. 
[0072] When a certain host computer is extracted 25 
from the system (stop 1101). or when the cable connect- 
ed to tho host computer is disconnected from the switch 
of Fabric 60, the switch (not shown) of fiber channel 60 
sends fcSCN indicating change of state to all connected 
devices (stop 1102). Tho storage controller 40 that has ao 
received this notification sends accept (ACC) frame 
(step 1103). Tho storage controller 40 confirms if the 
host computer informed of by the received RSCN exists 
in the host computers now and^t login (step 1104). If 
there is, GPNJD j 5 sent to that host computer (step J* 
1105). 

[0073] Tho host computer extracted from the system 
is disconnected, and thus cannot respond to GPN JD. 
Therefore, the storage controller 40 cannot recoivo ac- 
cept (FS_ACC) (stop 1106). Thus, the storage controller 
40 internally execules logout process for this host com- 
puter. Then, ii changes the access enable/disable flag 
information of security table 201 to Disable, or makes 
that host be disabled to access (stop 1107). When the 
host is again connected after replacing the host bus 
adaptor, N_PortJviame inlormation is changed, and 
thu3 the 3ame mode as the new provision/addition of a 
host is brought about 

[0074] Hero, at step 1107 it is possible to set not to 
change the access enable/disablo flag information of so 
security table 201. Then, if the host computer is tempo- 
rarily stopped or resumes its operation after having been 
completely repaired, it can access to the same storage 
region as before the slop without again setting security 
table 201. The host bus adapter replacement process ss 
involves tho connection and disconnection of the cable 
of the same port. Thus, under the mode of "deciding host 
adapter replacement due to failure", automatic access 



386 A2 12 

setting can be made wiinoul enabling access on panel 
47 by supervisor. On the contrary, under the mode of 
"access enable/disable", addition process is executed 
as in the embodiment for host addition. 
[0075J LU security change will be described with ref- 
erence to Fig. 1 2. The security table 201 or 202 is Parted 
to change by use of panel 47 shown in Fig. 8 (step 1 201 ). 
First, change for oach WWN or each vendor is selected 
as a change mode (step 1202). 
[0076] When change for each WWN is selected, the 
microprocessor 42 controls panel 47 to indicate a list of 
host computers on the display 471 (step 1203). 
Then, the suporvisor operates the Key buttons 472 to 
change Ihe access enable/disable conditions of host lo 
be changed (stop 1204). 

(0077J When change for each vendor is selected, the 
microprocessor 42 cuts CompanyJD away from WWN 
of host information table 200. and generates tho security 
lable (access enable/disable table) 202 showing the ac- 
cess enable/disable conditions of vendors (step 1205). 
Then, tho vendor-access security table 202 is indicated 
on the display 471 of panel 47 (step 1206). The super- 
visor operates the key buttons 472 to change the access 
enable/disable conditions of a vendor to be changed 
(stop 1207). The microprocessor 42. on tho basis of the 
results, searches for the WWN having the CompanyJD 
of the vendor changed, and makes the access enable/ 
disablo table have the same contents as at stop 1204 
(step 1206). 

[0078] Then, the microprocessor 42 changes tho sc- 
curily table 201 (step 1209). Moreover, it issues a com- 
mand for re-recognition lo the host computer (step 
1210). The host computer sends PLOGI In response to 
this command, loading to login (step 1211). In order to 
make ihe access enabled host be disabled, it is neces- 
sary that the host computer to be disabled to access bo 
internally made logout by the storage controller 40 be- 
fore the re-recognition process. 
(0079] While in the above three examples, the access 
enable/disablo operations are made tor each LU unit of 
front end control unit 41 of storage controller 40, it is 
possible to m3ko setting not for each IU but for each 
storage controller 40. in that case, the accessed ones 
ol the security table 201 are not LU but storage controller 
40. Moreover, when iho from end control unit 41 has a 
plurality of ports, the access right of host is sot for each 
port, thoroby making it possible to avoid competition 
among host computers or provide priority to the host 
computers. 

[0080] In addition the security system can also be 
constructed by transferring tho security table 201 , after 
being generated by the storago controller 40. to the host 
computers, and making decision of whether they have 
access right from the table boforo tho hosts themselves 
issue PLOGI and Inquiry. In this case, the host comput- 
ers select only the access right portion of themselves 
Irom the security table sent from oach storage controller 
and store it. Similarly, a security table may bo provided 
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within Ihe switch or SAN manager provided between the 
host computer and the storage controller. Thus, the 
number of commands to bo transferred to the fiber chan- 
nel and commands that the storage controller handles 
can be docroasod, and the I/O process can be more ef- 
fectively performed. 

(0081] Moreover, data damage due to the access 
from a different protocol, different file system or different 
OS usually occurs only al the time of data writing, if data 
reading is conlrotled to execute from the host computer 
that has other protocols and different file system, it will 
be often advantageous. Therefore, it is possible that, as 
at steps 607 and 500 in Fig. 5. when the user is allowed 
to enter access right, read access and write access are 
separately set up so as to provide storage regions al- 
lowed only to be read or provide access right only for 
writing and froe accoss for reading. 
[0082] The same vendor sometimes manufactures 
host computers that have a plurality ol different lile 
types. In that case, use of CompanyJD might fall to 
achieve the original security. At that time, a code for 
identifying OS or file type is added to CompanyJD. and 
this CompanyJD can bo usod to substitute for the 
CompanyJD described in the previous embodiments. 
[0083] It is also possible to detect the protocol, tile 
type and OS of host from PLOGl not using 
N„.Port__Namo tor identifying the host computers, and to 
use these identification information for CompanyJD, so 
that the some access right can be provided to the host 
computers of the same file type. 
[0084] While a single storage controller and two LUs 
are used in the above embodiments for the sake of sim- 
ple explanation* the present invention can bo applied to 
a system having a plurality of storage controllers, or 
three or more LUs. In this case, the security setting can 
be of course simplified. 

Moreover, the storage region may be logical volume 
unit. RAID group unit, or physical region or physical vol- 
ume unit that is not a logically divided unit, othor than 
LU unit. In addition, as in the case where there are pro- 
vided a plurality of storage units and a plurality of stor- 
age controllers, but logically one storage unit and one 
storage controller, multiple host computers, storage 
controllers and storage units include the meaning of be- 
ing both logically multiple and physically multiple ones. 
[0085] Furthermore* the recording media may be op- 
tical disks or magnotooptical disks other than magnetic 
disks, or magnetic tape other than disks, The technical 
field to be applied is not limited to the relation between 
the host computer and storage controller, but to the re- 
lation between othor information processors that are re- 
quired to provide access limitation. 



Claims 

1. A storage system comprising: 



a storage unit (SO) having storage regions for 
storing data; and 

a (tloraga controller (40) having a back end con- 
trol unit (46) for controlling Ihe transfer of data 

5 from or to said storage unil> a cache (45) for 

temporarily storing information read from said 
storage unit, a front end control unit (41) for 
controlling the transfer of data between said 
cache and a host computer (10, 20, 30) and a 

'0 processor (42) that acquires information for 

identifying said host computer from a frame 
sent from said host computer and that forces a 
memory (43) to storo said information. 

in 2, A storage system comprising: 

a storage unit (50) having storage regions for 
storing data; and 

a storage controller (40) having means (42) for 
so identifying storage regions of said storage unit, 

moans (42) for separating information lor iden- 
tifying a host computer (10, 20, 30) from a frame 
included in a login request from said host com- 
putor, a monitor (471) for displaying said con- 
nected host computer and said storage regions 
on the basis of said separated information, a 
panel (47) for designating a storage region thai 
can be accessed by said host computer with 
reference to said monitor, and means (42) for 
30 sotting access right of said host computer to 

said storage regions on the basis of designation 
entered through said panel. 

3. A storago system according to claim 1 or 2, wherein 
said information for identifying said host computer 
is n ...Port.. Name or World Wide Name. 

4. A storage system according to claim 1 or 2, wherein 
said information for identifying said host computer 

40 is CompanyJD. 

5. A storage system according to claim 4, wherein in- 
formation or vendor corresponding lo said 
CompanyJD is previously stored. 

6. A storage system according to claim 1 or 2, wherein 
intonnaiion for identifying &aid host computer (10. 
20. 30) is any one of protocol, file type or OS of said 
host computer. 

50 

7. A storage system according to any one of claims 1 
through 6. wherein said storage controller is con- 
nected to said host computer (10, 20. 30) through 
a network. 

56 

8. A storage system according lo any one of claims 1 
through 6, wherein said storage controller (40) is 
connected to said plurality of host computers having 
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a different protocol and/or a different file system. 

9. A storage controller (40) comprising: 

a back end control unit (46) for controlling the s 
transfer of data from or to a storage unit (5©) 
under command of said storage controller; 
a cache (45) for temporary storing information 
read from said storage unit; 
a front end control unit (41) for controlling the 10 
transfer ol data between said cache and a host 
computer (10. 20, 30); and 
a processor (42) for acquiring information tor 
identifying said host computer from a frame 
sent from said host computer and controlling o i$ 
memory (43) to store said information. 

10. A storage controller (40) comprising; 

means (42) for identifying storage regions un* 20 
der command of said storage controller; 
means (42) for separating information for iden- 
tifying a host computer (1 0. 20. 30) from a frame 
included in a login request that said host com- 
putor issues; ?s 
a monitor (471) for displaying said connected 
host computer and said storage regions on tho 
basis of said separated information; 
a panel (472) lor designating a storage region 
that can be accessed by said host computer 
with reference to said displayed information; 
and 

means (42) for setting the access right of said 
host computer to said storage regions on the 
basis of designation entered through said pan- Jfl 
el. 



11 



in y storage system having a storage controller (40) 
and a plurality of host computers (10. 20. 30) con- 
nected via a network, a method of sotting security w 
for said storage system by said storage controller, 
comprising; 

a step (502) of receiving a frame (70) including 
information for identifying said host computers 
(10.20,30); 

a step (503) ol separating said information from 
said frame and storing said information; 
a step (506) ol identifying storage regions un- 
der command of said storage controller; w 
a step (507. 510) of generating a table (200, 
201 , 202; 700) of said host computers and said 
storage regions on the basis of said separated 
information; 3nd 

a step (500, 511) of designating on said tablo a 
storage region that can be accessed by said 
host computers. 



12. In a storage systom having a storage controller and 
a plurality of host computers (10. 20 4 30) connected 
via a network, a method of setting security for said 
storage system by said storage controller, compris- 
ing: 

a step (503) of receiving a login request; 
a step (503) of separating information for iden- 
tifying said host computers (10, 20, 30) from a 
frame (70) included in said login request; 
a step (506) of identifying storage regions (50) 
undL»r command of said storage controller; 
a step (507, 510) of displaying said connected 
host computers and said storage regions on the 
basis ol said separated information; 
a step (508, 511 ) of designating a storage re- 
gion that can be accessed by said host com* 
pulers with reference to said displayed informa- 
tion; and 

a step (513) of setting the access right of said 
host computers to said storage regions on the 
basis of the designation in said designating 
step, 

13. A security setting method according to claim 12, 
wherein said information lor identifying the host 
computers is any ono of N _Pori.JMame, World Wide 
Name and Company ID, 

14. tn a storage system having a storage controller and 
a plurality ol host computers connected via a net- 
work, a method of sotting security tor said storage 
system by said storage controller, comprising: 

a stop (502) of receiving PLOGI; 
a step (503) of separating N Porl__Name or 
World Wide Name from a frame (70) included 
in said PLOGI; 

a step (504) of generating a table associated 
wjlh said N_Port_ Name or World Wide Name 
and S.JD included in said PLOGI; 
a step (003') ol deciding if said N^Port^Name 
or World Wide Name is previously stored; 
a stop (506) of identifying storage regions un- 
der command of said storage controller if said 
decision is that It is not previously stored; 
a step (507, 510) of displaying said connecled 
host computers and said storage regions on the 
basis of said separated N_Port_Name or World 
Wide Name; 

a step (508, 611) or designating a storage re- 
gion that can be accessed by said host com- 
puters with rofcronco to said displayed informa- 
tion; 

a step (513) ot setting the access right of said 
host computers to said storage regions on the 
basis ot the designation in syjd designating 
step: and 
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a step (514) ol ordering said host computers to 
again send PLOGI, 

15. A security setting method according to any one of 
claims 11 through 14, wherein said designation for 5 
said accessible storage regions is performed tor 
each of the accesses using separate read com- 
mand and write command. 

16. In a storage system having a storage controller and w 
a plurality of host computers connected via a net- 
work, a method of setting security for said storage 
system by said storage controller, comprising; 

a step (502) of receiving a login request; T $ 
a step (503) of separating Worid Wide Name 
from a frame (70) included in said login request: 
a step (5&9) of further separating CornpanyJD 
from said World Wide Name; and 
a step (512) of. when the access right of the *o 
same CornpanyJD to storage regions is al- 
ready registered, making said access right be 
used as access right of said host computers 
that have sent said login request. 

2b 

17. A security setting method according to any one or 
claims 11 through 16. further comprising a step of 
transferring said access right to said host comput- 
ers. 

no 

18. A security setting method according to claim 14, fur* 
thor comprising the steps or, when said host com- 
puter (30) is added to said storage system, request- 
ing N J^orLNamo or Wold Wide Name to said add- 
ed host computer in response to a notification M 
(RSCN) that informs of state change of said storago 
system, adding information of said added host com- 
puter to said tabte and enabling the access right of 
said added host computer to be sot on the basis of 
said NJ>ort_Neme or World Wide Name from said *o 
added host computer. 

19. A security sotting method according to claim 14. 
wherein when one (1®, 20 or 30) of said host com* 
pulers is temporarily disconnected from said stor- 
age system, information of said disconnected host 
computer is not changed on said table. 
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